Re: [sleuthkit-developers] NTFS data run collisions
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] NTFS data run collisions
|
From: Alex N. <ajn...@cs...> - 2014-03-26 14:52:16
|
Hi Hongyi, For clarification, these are allocated files you're asking about, right? If some of the files are deleted, the answer is pretty straightforward. Also, are you asking about partial or total overlaps? You should be building your hash table based on MFT entry numbers, not on file names. NTFS allows multiple hard links. Do you have example files you could reference in one of the publicly available disk images? (One of the M57's will likely give you an example.) http://www.forensicswiki.org/wiki/Forensic_corpora#Disk_Images --Alex On Mar 25, 2014, at 14:00 , Hu, Hongyi - 0559 - MITLL <Hon...@ll...> wrote: > Hi, > > I'm an NTFS rookie with a question about data runs. Are there any normal reasons why two different files might have overlapping data runs, i.e. mapped to some of the same clusters/blocks on the disk? > > For a research project, I would like to do the following: given a sector on the disk, determine what file (if any) owns the data in that sector. The first thing I tried was to build a simple block to filename hash table. For each file, I look at its data runs and put them into the table. With both TSK and the analyzeMFT library and using a clean Windows XP disk image, I get a non-trivial number of block collisions. > > Is this normal behavior? I would have thought that the block assignments would be unique. I have not been successful finding any info about this in various documentation. > > > Thanks! > > -- > Hongyi Hu > > MIT Lincoln Laboratory > Group 59 (Cyber System Assessments) > Ph: (781) 981-8224 > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech_______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
